"Stuart D. Gathman" agonized:
On Wed, 18 May 2005, Alex van den Bogaerdt wrote:
As I have proved above, this cannot hold. Therefore there's
something wrong with the line of reasoning. And there is; way
too much weight is put into this authentication statement. If
you want strong authentication, USE strong authentication.
There seems to be a disconnect on the meanings of the words
"authentic" and "authorized". I don't really care what they
mean, I was molding their meaning to what I gathered from
a previous post. At this point, I'm convinced that there will
never be a consensus on the meaning of those words, and it is
time to find some different ones.
Now, I will remold the meaning of "authentic" and "authorized"
to fit your post - and I find that I agree with you! Just as
I agreed with the other post. This reminds my of Catholic/Protestant
debates. Now I will attempt to find some subsitute words.
FAIL - not authorized and definitely not authentic
definitely not authorized and probably not authentic
(this is almost the reverse of what you have!)
"not authorized" here seems to mean "explicitly prohibited".
PASS - authorized and authentic to the best of our ability
Authorized thus reasonably confident it is authentic. Complain
to me if this host's keeper doesn't do its job, I will take action
and stake my reputation on it. Occasionally sh*t will happen but
I will make every effort to correct the situation.
"Authorized" here seems to mean "the domain owner takes responsibility for
it".
"Authentic" is vaguely hinted to mean "not forged" - but the meaning
is still unclear. Perhaps "official"?
Ok, let's try with "not prohibited" and "official" instead
FAIL - explicitly prohibited by the domain owner
NEUTRAL - not prohibited by the domain owner
PASS - officially approved by the domain owner
SOFTFAIL- prohibited, but be lenient
It's not the vocabulary that's wrong, its the logic.
What I think we are trying to make with PASS is two logically-different
declarations:
1) That the IP is authorised by the domain owner to send messages on its behalf,
2) That the IP is trusted by the domain owner _not_ to send messages purporting
to be from the domain that were not, in fact sent by that domain
Or to put it another way, Pass means that all messages coming from this IP and
claiming to be from this domain are, indeed, from this domain.
Using similar language, NEUTRAL means : the domain does send authorised messages
via this IP, but it is possible that the IP can also send messages claiming to
be from the domain but which were not actually authorised. The recipient cannot
therefore make any firm decision on the authenticity of any specific message on
the basis of this test alone.
SOFTFAIL (to me) says: The domain does not intend to send mail via this IP, so
anything claiming to be from the domain is probably unauthorised, but please
inform the domain owner about all such attempts, in case the domain has made an
error in configuring its mail system.
FAIL says: Anything coming from this IP which claims to be from our domain is
certainly unauthorised.
HTH
Chris Haynes